🐛 Bug Report: Backstage 1.16 have a critical vulnerability for tough-cookie 2.5.0 in Cypress and @backstage/backend-common modules

[bbasu]

📜 Description

After upgrading to Backstage 1.16 we still have a critical vulnerabiity for tough-cookie 2.5.0. When we trace it through

 yarn why tough-cookie

we see that the 2.5.0 version is being referenced in 2 places like below:

yarn why tough-cookie
yarn why v1.22.17
[1/4] Why do we have the module "tough-cookie"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "tough-cookie@2.5.0"
info Has been hoisted to "tough-cookie"
info Reasons this module exists

• "workspace-aggregator-29dc2367-ed34-4cdd-ae81-ed1b0258236e" depends on it
  **- Hoisted from "project#app#cypress#@cypress#request#tough-cookie"
• Hoisted from "project#backend#@backstage#backend-common#@kubernetes#client-node#request#tough-cookie"**
  info Disk size without dependencies: "104KB"
  info Disk size with unique dependencies: "620KB"
  info Disk size with transitive dependencies: "620KB"
  info Number of shared dependencies: 2
  => Found "jsdom#tough-cookie@4.1.3"
  info This module exists because "project#@backstage#cli#jest-environment-jsdom#jsdom" depends on it.
  info Disk size without dependencies: "132KB"
  info Disk size with unique dependencies: "744KB"
  info Disk size with transitive dependencies: "788KB"
  info Number of shared dependencies: 5
  => Found "isomorphic-dompurify#tough-cookie@4.1.3"
  info Reasons this module exists
• "project#app#@backstage#plugin-api-docs#@asyncapi#react-component#isomorphic-dompurify#jsdom" depends on it
• Hoisted from "project#app#@backstage#plugin-api-docs#@asyncapi#react-component#isomorphic-dompurify#jsdom#tough-cookie"
  info Disk size without dependencies: "132KB"
  info Disk size with unique dependencies: "744KB"
  info Disk size with transitive dependencies: "788KB"
  info Number of shared dependencies: 5
  Done in 1.57s.

Cypress and @backstage/backend-common. Can some one tell us how to make these modules use the latest tough-cookie v4.1.3? Or is this something that needs an update the owners of Cypress and @backstage/backend-common modules?

👍 Expected behavior

Cypress and @backstage/backend-common should include the latest version of tough-cookie as a dependency

👎 Actual Behavior with Screenshots

Cypress and @backstage/backend-common includes the latest a vulnerable version of tough-cookie (2.5.0) as a dependency

👟 Reproduction steps

In the project, run

yarn audit

yarn why tough-cookie

📃 Provide the context for the Bug.

Tried upgrading backstage to the latest 1.16 version

🖥️ Your Environment

No response

👀 Have you spent some time to check if this bug has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

Are you willing to submit PR?

Yes I am willing to submit a PR!

[awanlin]

Hi @bbasu, in this case this is not a direct dependency of Backstage packages but of other packages used by Backstage. In this case you there are tools like Renovate, Dependabot, or Snyk that would help identify and upgrade for you.

[Rugvip]

We're bringing in a vulnerable version of tough-cookie due to @kubernetes/client-node, which in turn depends on the deprecated request package. There's a migration ongoing: kubernetes-client/javascript#754.

The latest version of jsdom no longer depends on a vulnerable version of tough-cookie, so you'll be able to bump that version on your end.

I would imagine that there's no actual expose to the vulnerability in tough-cookie in practice, as it seems to be related only to the cookie jar, and I'd be surprised if that was used in @kubernetes/client-node. It's not something I've verified though.

[iamvolvo]

Would you say this is a duplicate of #18742 ?
If yes, should we close one of them?
Thanks!

[Rugvip]

Ah yep I will close this, since #18742 is an automatically generated issue